Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker
Commits: 81abf8d5 by security tracker role at 2019-05-09T20:10:26Z automatic update - - - - - 1 changed file: - data/CVE/list Changes: ===================================== data/CVE/list ===================================== @@ -1,4 +1,24 @@ -CVE-2019-11842 [Use SystemRandom for token generation] +CVE-2019-11846 + RESERVED +CVE-2019-11845 + RESERVED +CVE-2019-11844 + RESERVED +CVE-2019-11843 + RESERVED +CVE-2019-11841 + RESERVED +CVE-2019-11840 (An issue was discovered in supplementary Go cryptography libraries, ak ...) + TODO: check +CVE-2019-11839 (njs through 0.3.1, used in NGINX, has a heap-based buffer overflow in ...) + TODO: check +CVE-2019-11838 (njs through 0.3.1, used in NGINX, has a heap-based buffer overflow in ...) + TODO: check +CVE-2019-11837 (njs through 0.3.1, used in NGINX, has a segmentation fault in String.p ...) + TODO: check +CVE-2019-11836 (The Rediffmail (aka com.rediff.mail.and) application 2.2.6 for Android ...) + TODO: check +CVE-2019-11842 (An issue was discovered in Matrix Sydent before 1.0.3 and Synapse befo ...) - matrix-synapse 0.99.2-5 NOTE: https://matrix.org/blog/2019/05/03/security-updates-sydent-1-0-3-synapse-0-99-3-1-and-riot-android-0-9-0-0-8-99-0-8-28-a/ CVE-2019-11835 (cJSON before 1.7.11 allows out-of-bounds access, related to multiline ...) @@ -964,7 +984,7 @@ CVE-2019-11446 (An issue was discovered in ATutor through 2.2.4. It allows the u NOT-FOR-US: ATutor CVE-2019-11445 (OpenKM 6.3.2 through 6.3.7 allows an attacker to upload a malicious JS ...) NOT-FOR-US: OpenKM -CVE-2019-11444 (An issue was discovered in Liferay Portal CE 7.1.2 GA3. An attacker ca ...) +CVE-2019-11444 (** DISPUTED ** An issue was discovered in Liferay Portal CE 7.1.2 GA3. ...) NOT-FOR-US: Liferay Portal CE CVE-2019-11443 RESERVED @@ -1171,8 +1191,8 @@ CVE-2019-11355 RESERVED CVE-2019-11354 (The client in Electronic Arts (EA) Origin 10.5.36 on Windows allows te ...) NOT-FOR-US: client in Electronic Arts (EA) Origin on Windows -CVE-2019-11353 - RESERVED +CVE-2019-11353 (The EnGenius EWS660AP router with firmware 2.0.284 allows an attacker ...) + TODO: check CVE-2019-11352 RESERVED CVE-2019-11351 (TeamSpeak 3 Client before 3.2.5 allows remote code execution in the Qt ...) @@ -1238,8 +1258,8 @@ CVE-2019-11326 RESERVED CVE-2019-11325 RESERVED -CVE-2019-11323 - RESERVED +CVE-2019-11323 (HAProxy before 1.9.7 mishandles a reload with rotated keys, which trig ...) + TODO: check CVE-2019-11324 (The urllib3 library before 1.24.2 for Python mishandles certain cases ...) - python-urllib3 <unfixed> (bug #927412) NOTE: https://github.com/urllib3/urllib3/compare/a6ec68a...1efadf4 @@ -4169,6 +4189,7 @@ CVE-2019-1000031 (A disk space or quota exhaustion issue exists in article2pdf_g NOT-FOR-US: article2pdf Wordpress plugin CVE-2018-20815 [device_tree: heap buffer overflow while loading device tree blob] RESERVED + {DLA-1781-1} - qemu 1:3.1+dfsg-7 [stretch] - qemu <postponed> (Minor issue) - qemu-kvm <removed> @@ -5431,8 +5452,8 @@ CVE-2019-9849 RESERVED CVE-2019-9848 RESERVED -CVE-2019-9847 - RESERVED +CVE-2019-9847 (A vulnerability in LibreOffice hyperlink processing allows an attacker ...) + TODO: check CVE-2019-9857 (In the Linux kernel through 5.0.2, the function inotify_update_existin ...) - linux 4.19.37-1 [stretch] - linux <not-affected> (Vulnerable code not present) @@ -5522,6 +5543,7 @@ CVE-2019-9825 (FeiFeiCMS 4.1.190209 allows remote attackers to upload and execut NOT-FOR-US: FeiFeiCMS CVE-2019-9824 RESERVED + {DLA-1781-1} - qemu 1:3.1+dfsg-6 [stretch] - qemu <no-dsa> (Minor issue, pending for stable point update) - qemu-kvm <removed> @@ -9188,7 +9210,7 @@ CVE-2019-8385 RESERVED CVE-2019-8384 RESERVED -CVE-2019-8383 (An issue was discovered in AdvanceCOMP before 2.1. An invalid memory a ...) +CVE-2019-8383 (An issue was discovered in AdvanceCOMP through 2.1. An invalid memory ...) - advancecomp <unfixed> (bug #928730) [stretch] - advancecomp <no-dsa> (Minor issue) NOTE: https://sourceforge.net/p/advancemame/bugs/272/ @@ -9201,7 +9223,7 @@ CVE-2019-8381 (An issue was discovered in Tcpreplay 4.3.1. An invalid memory acc NOTE: Crash in a CLI tool, no security impact CVE-2019-8380 (An issue was discovered in Bento4 1.5.1-628. A NULL pointer dereferenc ...) NOT-FOR-US: Bento4 -CVE-2019-8379 (An issue was discovered in AdvanceCOMP before 2.1. A NULL pointer dere ...) +CVE-2019-8379 (An issue was discovered in AdvanceCOMP through 2.1. A NULL pointer der ...) - advancecomp <unfixed> (bug #928729) [stretch] - advancecomp <no-dsa> (Minor issue) NOTE: https://sourceforge.net/p/advancemame/bugs/271/ @@ -12149,8 +12171,8 @@ CVE-2019-7183 RESERVED CVE-2019-7182 RESERVED -CVE-2019-7181 - RESERVED +CVE-2019-7181 (Buffer Overflow vulnerability in myQNAPcloud Connect 1.3.3.0925 and ea ...) + TODO: check CVE-2019-7180 RESERVED CVE-2019-7179 @@ -13573,12 +13595,12 @@ CVE-2019-6568 (A vulnerability has been identified in CP1604 (All versions), CP1 NOT-FOR-US: Siemens CVE-2019-6567 RESERVED -CVE-2019-6566 - RESERVED +CVE-2019-6566 (GE Communicator, all versions prior to 4.0.517, allows a non-administr ...) + TODO: check CVE-2019-6565 (Moxa IKS and EDS fails to properly validate user input, giving unauthe ...) NOT-FOR-US: Moxa -CVE-2019-6564 - RESERVED +CVE-2019-6564 (GE Communicator, all versions prior to 4.0.517, allows a non-administr ...) + TODO: check CVE-2019-6563 (Moxa IKS and EDS generate a predictable cookie calculated with an MD5 ...) NOT-FOR-US: Moxa CVE-2019-6562 (In Philips Tasy EMR, Tasy EMR Versions 3.02.1744 and prior, the softwa ...) @@ -13609,16 +13631,16 @@ CVE-2019-6550 (Advantech WebAccess/SCADA, Versions 8.3.5 and prior. Multiple sta NOT-FOR-US: Advantech WebAccess/SCADA CVE-2019-6549 (An attacker could retrieve plain-text credentials stored in a XML file ...) NOT-FOR-US: PR100088 Modbus -CVE-2019-6548 - RESERVED +CVE-2019-6548 (GE Communicator, all versions prior to 4.0.517, contains two backdoor ...) + TODO: check CVE-2019-6547 (Delta Industrial Automation CNCSoft, CNCSoft ScreenEditor Version 1.00 ...) NOT-FOR-US: Delta Industrial Automation CNCSoft -CVE-2019-6546 - RESERVED +CVE-2019-6546 (GE Communicator, all versions prior to 4.0.517, allows an attacker to ...) + TODO: check CVE-2019-6545 (AVEVA Software, LLC InduSoft Web Studio prior to Version 8.1 SP3 and I ...) NOT-FOR-US: AVEVA -CVE-2019-6544 - RESERVED +CVE-2019-6544 (GE Communicator, all versions prior to 4.0.517, has a service running ...) + TODO: check CVE-2019-6543 (AVEVA Software, LLC InduSoft Web Studio prior to Version 8.1 SP3 and I ...) NOT-FOR-US: AVEVA CVE-2019-6542 (ENTTEC Datagate MK2, Storm 24, Pixelator all firmware versions prior t ...) @@ -19265,10 +19287,10 @@ CVE-2019-4074 (IBM Sterling B2B Integrator Standard Edition 6.0.0.0 and 6.0.0.1 NOT-FOR-US: IBM CVE-2019-4073 (IBM Sterling B2B Integrator Standard Edition 6.0.0.0 and 6.0.0.1 is vu ...) NOT-FOR-US: IBM -CVE-2019-4072 - RESERVED -CVE-2019-4071 - RESERVED +CVE-2019-4072 (IBM Tivoli Storage Productivity Center (IBM Spectrum Control Standard ...) + TODO: check +CVE-2019-4071 (IBM Tivoli Storage Productivity Center (IBM Spectrum Control Standard ...) + TODO: check CVE-2019-4070 RESERVED CVE-2019-4069 @@ -27052,8 +27074,8 @@ CVE-2019-1570 (The Expedition Migration tool 1.1.8 and earlier may allow an auth NOT-FOR-US: Expedition Migration tool CVE-2019-1569 (The Expedition Migration tool 1.1.8 and earlier may allow an authentic ...) NOT-FOR-US: Expedition Migration tool -CVE-2019-1568 - RESERVED +CVE-2019-1568 (Cross-site scripting (XSS) vulnerability in Palo Alto Networks Demisto ...) + TODO: check CVE-2019-1567 (The Expedition Migration tool 1.1.6 and earlier may allow an authentic ...) NOT-FOR-US: Expedition Migration tool CVE-2019-1566 (The PAN-OS management web interface in PAN-OS 7.1.21 and earlier, PAN- ...) @@ -31538,8 +31560,7 @@ CVE-2019-0227 (A Server Side Request Forgery (SSRF) vulnerability affected the A NOTE: disclosure mentions "03/12/2019 - Apache applied SSRF patch": NOTE: https://github.com/RhinoSecurityLabs/CVEs/issues/1 NOTE: https://github.com/apache/axis1-java/commit/35511b872a6460129cfc0cd35baaccbd820977b5 -CVE-2019-0226 - RESERVED +CVE-2019-0226 (Apache Karaf Config service provides a install method (via service or ...) - apache-karaf <itp> (bug #881297) CVE-2019-0225 (A specially crafted url could be used to access files under the ROOT d ...) - jspwiki <removed> @@ -32921,6 +32942,7 @@ CVE-2018-18851 CVE-2018-18850 (In Octopus Deploy 2018.8.0 through 2018.9.x before 2018.9.1, an authen ...) NOT-FOR-US: Octopus Deploy CVE-2018-18849 (In Qemu 3.0.0, lsi_do_msgin in hw/scsi/lsi53c895a.c allows out-of-boun ...) + {DLA-1781-1} - qemu 1:3.1+dfsg-1 (bug #912535) [stretch] - qemu <no-dsa> (Minor issue, pending for stable point update) - qemu-kvm <removed> @@ -51387,6 +51409,7 @@ CVE-2018-11808 (Incorrect Access Control in CustomFieldsFeedServlet in Zoho Mana CVE-2018-11807 RESERVED CVE-2018-11806 (m_cat in slirp/mbuf.c in Qemu has a heap-based buffer overflow via inc ...) + {DLA-1781-1} - qemu 1:3.1+dfsg-1 (bug #901017) [stretch] - qemu <no-dsa> (Minor issue, pending for stable point update) NOTE: https://lists.gnu.org/archive/html/qemu-devel/2018-06/msg01012.html @@ -98805,8 +98828,8 @@ CVE-2017-12841 RESERVED CVE-2017-12840 (A kernel driver, namely DLMFENC.sys, bundled with the DESLock+ client ...) NOTE: DESLock+ -CVE-2017-12839 - RESERVED +CVE-2017-12839 (A heap-based buffer over-read in the getbits function in src/libmpg123 ...) + TODO: check CVE-2017-12838 (Cross-site request forgery (CSRF) vulnerability in NexusPHP 1.5 allows ...) NOT-FOR-US: NexusPHP CVE-2017-12837 (Heap-based buffer overflow in the S_regatom function in regcomp.c in P ...) @@ -98882,12 +98905,12 @@ CVE-2017-12808 RESERVED CVE-2017-12807 REJECTED -CVE-2017-12806 - RESERVED -CVE-2017-12805 - RESERVED -CVE-2017-12804 - RESERVED +CVE-2017-12806 (In ImageMagick 7.0.6-6, a memory exhaustion vulnerability was found in ...) + TODO: check +CVE-2017-12805 (In ImageMagick 7.0.6-6, a memory exhaustion vulnerability was found in ...) + TODO: check +CVE-2017-12804 (The iwgif_init_screen function in imagew-gif.c:510 in ImageWorsener 1. ...) + TODO: check CVE-2017-12803 (The Node_ValidatePtr function in corec/corec/node/node.c in mkclean 0. ...) NOT-FOR-US: mkclean CVE-2017-12802 (The EBML_IntegerValue function in ebmlnumber.c in libebml2 through 201 ...) @@ -98939,12 +98962,12 @@ CVE-2017-12791 (Directory traversal vulnerability in minion id validation in Sal NOTE: https://github.com/saltstack/salt/pull/42944 NOTE: https://github.com/saltstack/salt/commit/6366e05d0d70bd709cc4233c3faf32a759d0173a NOTE: https://docs.saltstack.com/en/2016.11/topics/releases/2016.11.7.html -CVE-2017-12790 - RESERVED +CVE-2017-12790 (Metinfo 5.3.18 is affected by: Cross Site Request Forgery (CSRF). The ...) + TODO: check CVE-2017-12789 RESERVED -CVE-2017-12788 - RESERVED +CVE-2017-12788 (Multiple cross-site scripting (XSS) vulnerabilities in admin/index.php ...) + TODO: check CVE-2017-12787 (A network interface of the novi_process_manager_daemon service, includ ...) NOT-FOR-US: NoviWare CVE-2017-12786 (Network interfaces of the cliengine and noviengine services, included ...) @@ -98963,8 +98986,8 @@ CVE-2017-12780 (The ReadData function in ebmlstring.c in libebml2 through 2012-0 NOT-FOR-US: libembl2 (different codebase than src:libebml) CVE-2017-12779 (The Node_GetData function in corec/corec/node/node.c in mkvalidator 0. ...) NOT-FOR-US: libembl2 (different codebase than src:libebml) -CVE-2017-12778 - RESERVED +CVE-2017-12778 (The UI Lock feature in qBittorrent version 3.3.15 is vulnerable to Aut ...) + TODO: check CVE-2017-1000112 (Linux kernel: Exploitable memory corruption due to UFO to non-UFO path ...) {DSA-3981-1} - linux 4.12.6-1 (low) @@ -99041,16 +99064,16 @@ CVE-2017-12762 (In /drivers/isdn/i4l/isdn_net.c: A user-controlled buffer is cop - linux 4.13.4-1 (unimportant) NOTE: Fixed by: https://git.kernel.org/linus/9f5af546e6acc30f075828cb58c7f09665033967 (v4.13-rc4) NOTE: Driver is disabled since squeeze and unmaintained for a long time -CVE-2017-12761 - RESERVED -CVE-2017-12760 - RESERVED -CVE-2017-12759 - RESERVED -CVE-2017-12758 - RESERVED -CVE-2017-12757 - RESERVED +CVE-2017-12761 (http://codecanyon.net/user/Endober WebFile Explorer 1.0 is affected by ...) + TODO: check +CVE-2017-12760 (Ynet Interactive - http://demo.ynetinteractive.com/mobiketa/ Mobiketa ...) + TODO: check +CVE-2017-12759 (Ynet Interactive - http://demo.ynetinteractive.com/soa/ SOA School Man ...) + TODO: check +CVE-2017-12758 (https://www.joomlaextensions.co.in/ Joomla! Component Appointment 1.1 ...) + TODO: check +CVE-2017-12757 (Certain Ambit Technologies Pvt. Ltd products are affected by: SQL Inje ...) + TODO: check CVE-2017-12756 (Command inject in transfer from another server in extplorer 2.1.9 and ...) {DLA-1063-1} - extplorer <removed> View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/81abf8d568fa3fee389a74d2a8d5dfa0a347009b -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/81abf8d568fa3fee389a74d2a8d5dfa0a347009b You're receiving this email because of your account on salsa.debian.org.
_______________________________________________ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits